Q&A: Keeping Mobile Applications Secure

The move to an increasingly mobile work force has introduced new challenges for enterprises that need to balance enabling their employees and meeting their security and compliance obligations simultaneously. Mobile apps may introduce specific vulnerabilities that have not been seen before by the business, and the equation of risk and reward is getting very complex.

How can IT make sure mobile apps are visible, secure, and thoroughly tested? For perspective, we contacted Geoff Webb, director or NetIQ, a cloud and security management specialist.

Enterprise Strategies: How does moving applications to the cloud and mobile platforms change the secure development life cycle?

Geoff Webb: The secure development cycle has to change to adapt to the very different set of operating environments that comes with the cloud and mobile environment. Traditional assumptions about the environment that might apply when the application is being run in a data center no longer apply. Therefore, changes should be put in place very early in the development cycle to reflect this.

Security testing should reflect the fact that there is far less control over the environment in the cloud and testing must conform to the demands of the mobile platform manufacturer. This will ultimately create more robust applications for the cloud and personal mobile devices.

Are cloud-based and mobile applications more or less secure than their traditional, locally hosted counterparts?

It depends. Whether or not a cloud-based or mobile application is more secure than a traditional, locally hosted application depends on how well it has been written and tested to adapt to the very different security landscape of the cloud or mobile devices. If the application has been written with all known potential security risks and threats in mind, specific to either a cloud-based or mobile environment, then it stands a good chance of being just as secure as a traditional application. What is clear is that application developers must take into account the new risks of being hosted in a third-party infrastructure (such as in the cloud) when they are developing their applications.

Are mobile applications more or less frequently patched with security updates? Are they more vulnerable?

There is data to suggest that most malware threats to the network come from mobile applications. However, the level of responsiveness to security vulnerabilities, and the effort put into closing them, is entirely dependent on the application developer, and it remains to be seen how high a priority they put on security. Clearly, as more organizations use mobile applications, the pressure on the application vendor to keep them secure will continue to grow. How vulnerable a mobile application is depends upon how well the code has been written to adapt to the particular security landscape of the environment it will live in. If the application is not robust, then the developer should expect to provide more frequent patches.

How can IT make sure they are aware of all mobile applications being used in a corporate environment?

This is a real challenge. There are basically two schools of thought. The first is to adopt a highly prescriptive and, in some ways, invasive approach to managing everything on the device using mobile device management technologies. This, however, can quickly run into significant user resistance when the device is owned by the employee. The second approach is to "sandbox" systems that handle corporate data, thus erecting a firewall of sorts between the personal use of the device and business use.

Of course, for many organizations, it's simpler to do neither and rely on limiting the impact of a breached device on the rest of the corporate network by controlling what it can connect to.

Is it feasible for enterprise IT departments to test mobile applications before they are introduced into their computing environments? If not, how can they minimize the risks they introduce?

As devices become increasingly mobile and cloud-connected, the effects of potential security threats will become farther reaching and potentially more cataclysmic. Therefore, instead of attempting to protect sensitive organizational information by focusing on an increasingly artificial perimeter, it becomes more important to protect data wherever it resides by continuously monitoring who is accessing it, how it is being accessed, and the location where it is being accessed. Vulnerabilities in systems are especially problematic because the high availability, highly interconnected nature of the cloud and mobility mean that weaknesses in one system can be used to attack others far more easily.

Given the difficulties of controlling the applications themselves, the best approach is to think very carefully about what systems the mobile device has access to. Is it used as a method of accessing sensitive systems? If so, is that access managed as part of a broader enterprise access management strategy? Can access from the device be easily disabled if a problem occurs, and can monitoring technology identify if access or activity from a mobile user represents a potential threat? These are key questions to ask when deciding to what extent to allow mobile devices (and the apps that run on them) to access your network.

What else can enterprises do to make sure the mobile applications their employees are using are secure?

For many organizations, the real question will revolve not around the apps themselves but rather the services the device accesses. Mobile devices certainly introduce complexities into both the security process and corporate governance, but in the end they are simply another symptom of the declining relevance of the perimeter security approach.

Focus instead on monitoring what is actually happening, reducing unnecessary access, tracking privileged users, and spotting anomalous activity. Although it's important to worry about the security of apps, that is only your first (and probably least effective) line of defense. If you focus on the basics of good monitoring, network segregation, and user and activity monitoring, the introduction of a rogue application have far less impact, the app will be discovered much earlier, and all the other non-mobile threats will also be easier to deal with.